Data Security 2017: Lessons Learned Last Year

There is absolutely no doubt that last year was a notoriously memorable year. Not only did the stolen NSA cyber weapons become integrated into new dangerous forms of ransomware, the scale of attacks were global. Many other data breaches happened as well and seemed to have been caused by negligent insiders. There was also the hacktivism campaign called the Paradise Papers which caused economic and political fallout across the globe. Lastly the United States suffered a number of data breaches in powerful institutions including the well known Equifax breach. With these incidents there is no shortage of data security lessons we could take away here. So let’s get started!

Insider Incidents Now More Devastating

In 2017 the impact of an insider incident has scaled exponentially. Much of this can be attributed to two factors malware traps and Ransomware-as-a-Service. According to a survey by PWC Insiders caused more than 51% of data breaches. Now this shouldn’t surprise many experts, what is important is that the ways in which insiders cause data breaches are often through downloading email attachments and visiting websites that act as a vector for spreading malware. The malware that negligent insiders do encounter is often categorized as ransomware. This means there is a 93% chance that whatever email attachments insiders download is actually ransomware waiting to seize your network.

Lesson 1: Always have a response plan

This is why one of the most important takeaways here is for organizations to have an incident response plan. In the event of an insider caused data breach you want processes in place that cover mitigation, communication, operational, and investigation needs. The purpose of an incident response plan is to limit the scope of damage done and ensure there are smooth communications during all the inevitable chaos.

An incident response plan needs to have the following components: clear mission, firm-wide approach for incident response, streamlined communication framework, incident response key performance indicators, maturity model for incident response, and company integration. Even with an incident response plan in place it is important that each person involved knows their responsibility and carries it out. The first part of incident response is to mitigate the damage, for ransomware attacks this means DO NOT pay the ransom and make sure to turn off the device as soon as it begins to encrypt files, also make sure to cut off any backdoors to external hackers. After mitigation comes communication, there were several examples in 2017 of companies that failed to communicate there was a data breach. In Paradise Papers example Appleby did not report a data breach for nearly a year and it has cost them.

Your communications plan should include frequency of communication, channels of communication, and level of detail to be communicated. Beside the GDPR requires that you have an incident response plan in place. It would be wise to follow it if you wish to start or continue business in Europe.

Enhanced Malware Means Greaters Losses

What’s worse than malware? How about NSA developed cyber weapon enhanced malware? The most severe data breaches of 2017 had strong incorporation of cyber weapons stolen from the NSA by a team called the Shadow Brokers. These cyber weapons have been incorporated into some of 2017’s most notorious data breaches including NotPetya and WannaCry, which made use of the EternalBlue exploit developed by the NSA. Cyber security experts fear that future cyber attacks will make even more use of the stolen NSA weapons since their success has been proven.

Lesson 2: Always Keep Everything Updated

While this is straightforward it would seem that not many organizations took this seriously. One of the key threads that tie the cyber weapons together is that they rely on outdated software and operating systems. When NotPetya and WannaCry broke out it was revealed that Microsoft had put out a patch for unsupported systems which was not installed by impacted victims. Most of the machines attacked were Windows XP which Microsoft stopped supported a while ago. These outdated systems placed organizations at risk for much more severe attacks. This is why it is important to always update your systems, software, and browsers.

Business Partners Need to Communicate About Security Processes

Ah the GDPR, it is a term of dread to many business leaders now who feel their industry as a whole is woefully unprepared to be in compliance. One such industry is the medical industry, who has almost unanimously stated that they are unprepared. This is because of the amount and types of data that is shared constantly among different institutions in the medical industry. However, there is another underlying issue at work here, communication. The private sector tends to have an issue when it comes to developing shared processes unless there is risk in not doing so. While the GDPR is that existential risk, compliance should not be the only driver for cooperation and communication. Cyber security in itself should motivate industries to developed shared security processes and systems of accountability. Policy often reacts too late, the private sector will need to start leading cyber security innovation to keep their customers and themselves safe. Sharing information about cyber threats helps inform and mitigate damage done to a whole industry. US financial institutions practice this very well, and the Department of Defense has been active in trying to rally private sector organizations to work together more.

Lesson 3: Share Information and Processes

Organizations need to be better equipped to identify, assess, monitor, and respond to increasingly dangerous cyber threats. There is no better source for information that your very peers, who share the same struggles and vulnerabilities as you do. The goal of information sharing is to build up a collective resilience to cyber attacks. If you seek to start discuss about sharing cyber threat information then start with the following areas: compromise indicators, insider tactics, external tactics, best practice mitigation actions, when attacks happen, and most importantly final analysis of an attack. This information provides a wealth of insight that helps guide future development of the industry.

One such initiative was the Industrial Internet Consortium (IIC) which was formed in part by GE. The initiative is made up of some of the largest industrial companies in the world, with the sole intention of producing frameworks, guides, and a platform of communication to address the threats inherent in the industrial internet of things.

Powerful Institutions Have Weak Foundations

Last but not least, how could we forget Equifax. Without a doubt the largest cyber security breach in US history happened in 2017 and revealed just how poorly prepared Equifax was to handle a data breach. What made the Equifax breach unique was that they are a central institution that the entire country relies on. The other important factor here is that Equifax has records on every single American and business entity without the consent of the people. Usually when there is a data breach a credit monitoring agency offers free credit monitoring for a year. However, in this case that couldn’t exactly work since the credit monitoring agency was the one hacked. This didn’t stop them from attempting to run the same process. Were there lessons to be learned here? Yes, of course: basic encryption (most data was in txt format), lack of response plan, poor communications, and malicious insiders. The list goes on.

The biggest takeaway this year is that no institution, regardless of size, is immune to a cyber attack. So lesson 4 is always assume you will face a cyber attack. Cyber security experts make it clear that when it comes to cyber threats, it is not a question of if but a question of when. Let us start 2018 the right way with some excellent cyber security practices. Happy New Year! Click below to learn more about Teramind.

Isaac Kohen started his career in quantitative finance developing complex trading algorithms for a major Wall Street hedge fund. During his tenure at Wall Street and his subsequent experience securing highly sensitive data for large multi-national conglomerates, he identified the market need for a comprehensive insider threat and data loss prevention solution. And so, Teramind was born. Isaac is a well-recognized thought leader in the security industry with many of his articles published in Forbes, Inc, Tripwire, and CSO Online. Read more industry thought leadership articles on Isaac's LinkedIn.